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Why the Cloud Matters 




Speed & Business Impact 



Expertise & Performance 



Massive Cost Reduction 
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Cloud Computing Evolution 



Security Challenges in the Cloud 



A New Architecture for Data Centre Security 
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Different types of Clouds 




Shared Resources 



Virtualisation 
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Ability to charge for 
resources used 




Server Under Desk 



19" Rack 



Computer Room 
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The Evolving Data Centre 



Stage 1 
Consolidation 



Cost-efficiency S 




^ Stage 2 

w Expansion & Desktop 



+ Quality of Service S 



^ Stage 3 

w Private > Public Cloud 



+ Business Agility V 




Datacenters are evolving to drive down costs 
and increase business flexibility 
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Security Challenges Along the Journey to the Cloud 



IT Production 



Business Production 



I 
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Data destruction 



Multi-tenancy 



Diminished perimeter 




71 % of enterprises cite i 

in complexity in the effort needed 

to secure the business amid these 

chanaes is major challenae. 
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Substance Emerging from Cloud Hype 







Public Cloud for Backup & Storage 

Using public cloud services, GE reduced backup costs by 40% to 60%, 
created reusable processes in a rapidly deployable model. 
Matt Merchant, General Electric (December 2009) 

Pharmaceutical R&D and The Cloud 

"Drug behemoth Eli Lilly and Co. ...uses Amazon's Elastic Compute Cloud (EC2) for scientific 
collaboration and computations ... because they empower many subsets of users." 
SearchCIO.com, 30 July 2009 






Gartner Top 10 Strategic Technologies in 2010 

"Cloud Computing. Organizations should think about how to approach the cloud in terms of 
using cloud services, developing cloud-based applications and implementing private 
cloud environments." SearchCIO. com, 22 October 2009 









Cloud Computing & Security 

"CISOs and Security Architects: Don't let operations-led projects lower your security profile. 
Engage in a discussion of the issues now, not after the fact." 
Neil MacDonald, Gartner (Gartner Data Center Conference, December 2009) 
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Cloud Computing Evolution 



m Security Challenges in the Cloud 



A New Architecture for Data Centre Security 
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Cloud Computing Compromises 



Google 



amazon.com 



sales/brcccom 

** Success, Not Software; 



Jan 2010: Google Gmail hacked by attacks 

originating in China (Financial Times) 



Oct 2009: Amazon EC2 customer Bitbucket taken 
offline by Distributed Denial of Service 
attack (The Register) 



Oct 2007: Salesforce.com security breached. 
Repeatedly hacked (Washington Post) 



Enterprise security challenges continue in the cloud 
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"The number one concern about 
cloud services is security" 

Frank Gens, IDC, Senior VP & Chief Analyst 



Key Challenges/Issues to the Cloud/On-demand Model 



Security 

Avatyebmty 

Performance 

On-demand paym't model may cost more 

Lack of interoperability standards 

Bringing back in-house may be difficult 

Hard to integrate with in-house IT 

Not enough ability to customize 




0% 10% 20% 30% 40% 50% 60% 70% B0% 00% 



Source: Source: IDC exchange, "New IDC IT Cloud Services Survey: Top Benefits and Challenges,' 
(http://blogs.idc.com/ie/?p=730) December 2009 



Who Has Control? 



Servers Virtualization & 
Private Cloud 
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Public Cloud 
laaS 



Public Cloud 
PaaS 



Public Cloud 
SaaS 
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Amazon Web Services™ Customer Agreem 



7.2. Security. We strive to keep Your Content secure, but cannot guarantee that 
we will be successful at doing so, given the nature of the Internet. Accordingly, 
without limitation to Section 4.3 above and Section 11.5 below, you 
acknowledge that you bear sole responsibility for adequate security, 
protection and backup of Your Content and Applications. We strongly 
encourage you, where available and appropriate, to (a) use encryption 
technology to protect Your Content from unauthorized access, (b) routinely 
archive Your Content, and (c) keep your Applications or any software that you 
use or run with our Services current with the latest security patches or updates. 
We will have no liability to you for any unauthorized access or use, corruption, 
deletion, destruction or loss of any of Your Content or Applications. 

http://aws.amazon.eom/agreement/#7 (3 March 2010) amazOllCOfTI 

The cloud customer has responsibility for 
security and needs to plan for protection. 
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Why Backup to the Cloud? 
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Cloud Computing Evolution 



Security Challenges in the Cloud 



m A New Architecture for Data Centre Security 
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Problem #1 



u 



Outside-in" approach and rapid virtualization have 
created less secure application environments 



Virtualization & Cloud Computing 
Create New Security Challenges 





Inter-VM 

attacks PCI Mobility Cloud Computing 
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Stage 1 — 

Server Consolidation 


-^ Stage 2 — 

Expansion & Desktop 


-^ Stage 3 
Private > Public Cloud 






Desktops 


» 


Servers 


85% 

Inter-VM attacks 

Instant-ON gaps 

Mixed Trust Level VMs 

Resource Contention 

Maintaining Compliance 

Service Provider 

(in)Security 

Multi-tenancy 




Inter-VM attacks 

Instant-ON gaps 

Mixed Trust Level VMs 

Resource Contention 

Maintaining Compliance 


Inter-VM attacks 
Instant-ON gaps 



Problem #2 

Data protection is the most pressing concern, but 
data is mobile, distributed and unprotected. 



Gartner recommends that any data leaving the data 
center be encrypted, which includes ... cloud services. 

"Emerging Technology Analysis: Storage Data Security," Gartner, 25 November 2009 



Challenge of Securing Data 



Data Centre 





Cloud 



Perimeter 




Strong perimeter security 
No shared CPU 
No shared network 
No shared storage 



Weak perimeter security 
Shared CPU 
Shared network 
Shared storage 
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Data Security Challenges in the Cloud 



Encryption rarely used: 

- Who can see your information? 

Storage volumes and servers are mobile: 

- Where is your data? Has it moved? 

Rogue servers might access data: 

- Who is attaching to your storage? 

Audit and alerting modules lacking: 

- What happened when you weren't looking? 

Encryption keys tied to vendor: 

- Are you locked into a single security solution? 
Who has access to your keys? 

Storage volumes contain residual data: 

- Are your storage devices recycled securely? 
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Name: John Doe 
SSN: 425-79-0053 
Visa #: 4456-8732., 




Data Protection for the Cloud 



Enterprise Data Centra 
or Saa£ Offering 



CfcHid Swvicft Provider 




Policy-based Key Management in the Clou 




Identity 




Integrity 


"Is it mine?" 


' 


\ "Is it okay?" 


• Embedded keys 


• Firewall 


• Location 




• AV 


• Start-up time 




• Self integrity check 


• etc 




• etc 



Auto or Manual rules based key approval 
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Challenges for Public Cloud: 




The Private Security Answer 

1 ) A self-defending host 

2) Encrypted data 



Shared network inside 
the firewall 

Doesn't matter - treat 
the LAN as public 




Internet 



Shared firewall - .-'' 
Lowest commony'" 
denominator - less fine 
grained control 

Doesn't matter - treat 
the LAN as public 




Multiple customers on 
one physical server - 
potential for attacks via 
the hypervisor 



Doesn't matter - the 
edge of my virtual 
machine is protected 




/Shared 
/ Storage 
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Easily copied machine 
images - who else has 
your server? 



Doesn't matter - They 
can start my server but 
only I can unlock my 
data 



Virtual 
Servers 
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Shared/storage - is 
customer segmentation 
secure against attack? 



Doesn't matter - My 
data is encrypted 
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A New Security Architecture For A New Er 

All environments should be considered untrusted 

Users access app m tik 



Datacenter 










Data 



Facilitates movement between 
datacenter & cloud 
Delivers control, security and 
compliance through encryption 
Avoids service provider lock-in 
Enables secure storage recycling 



within the server = 



Public Cloud 




. Encryption keys 
I controlled by you 



Encrypted 
Data 




Data 
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The Data Centre Is Changing 




Have your security strategies changed accordingly? 

1 . Improve Server Defences (supplement with IDS/IPS, FW, 
Application security) 

- Implement full audit and monitoring of virtualized environments 

2. Use available virtualisation APIs for higher levels of 
security with simpler operations 

3. Add virtualisation-aware agents where needed 

4. Implement enterprise managed encryption to secure data 
in the cloud 
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Thank you 
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